Описание
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.
A flaw was found in the Jenkins Script Security plugin version 1.53. An attacker with Overall/Read permissions is able to escape the sandbox and execute arbitrary code on the Jenkins master JVM. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.10 | jenkins-2-plugins | Will not fix | ||
| Red Hat OpenShift Container Platform 3.4 | jenkins-plugin-script-security | Will not fix | ||
| Red Hat OpenShift Container Platform 3.5 | jenkins-plugin-script-security | Will not fix | ||
| Red Hat OpenShift Container Platform 3.6 | jenkins-2-plugins | Will not fix | ||
| Red Hat OpenShift Container Platform 3.7 | jenkins-2-plugins | Will not fix | ||
| Red Hat OpenShift Container Platform 3.9 | jenkins-2-plugins | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | jenkins-2-plugins | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins-2-plugins | Fixed | RHSA-2019:0739 | 10.04.2019 |
Показывать по
Дополнительная информация
Статус:
8.8 High
CVSS3
Связанные уязвимости
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.
Уязвимость компонентов GroovySandbox.java и SecureGroovyScript.java плагина Jenkins Script Security, позволяющая нарушителю выполнить произвольный код
8.8 High
CVSS3